StackHawk
Hamburger Icon

API Security:
OWASP's Top 10
Vulnerabilities Explained

stackhawk

StackHawk|November 10, 2022

If you're new to API security, the OWASP Top 10 is the perfect place to start. This list covers the biggest risks in web apps today and how to mitigate potential vulnerabilities.

API Security: OWASP's Top 10 Vulnerabilities Explained - Picture 1 image

Every organization of any size has a security policy that outlines what developers should do to ensure their applications are safe. If a company has good API security policies, this can go a long way in protecting user data and/or stopping attacks from outside sources. For example, using tokens to authenticate users protects against brute force attacks.

This post explains API security and OWASP Top 10 vulnerabilities. This list defines what we think are the biggest risks in web applications today and serves as a starting point for building secure applications and encouraging secure coding practices. The post will also give suggestions on how you can mitigate each risk.

Before we cover OWASP's top 10 vulnerabilities, let's first understand what API security is.

What Is API Security?

API security is the implementation of security controls between our back ends and their respective consumers to prevent unauthorized access to data, systems, or accounts.

There are specific components that constitute API security:

  • Authentication: This is the process through which users provide proof of identity before being granted access to specific resources.

  • Authorization: This is how you grant users access to specific resources via authentication. You check authorization during every interaction between a user and your service.

  • Session management: We identify a user's session by associating it with their request. This can include cookies, devices, IP addresses, and other identifiers.

The Open Web Application Security Project (OWASP) is a nonprofit organization committed to improving software security.

What Is OWASP?

The Open Web Application Security Project (OWASP) is a nonprofit organization committed to improving software security. OWASP's goal is to increase awareness of software security—thus helping individuals and organizations make informed decisions about true software security risks.

The OWASP definition of API security is "the protection of APIs from unauthorized access, use, or modification."

Although API security is important, it is not foolproof. There are many ways for attackers to bypass security measures and access data or API functionality. 

Now let's look at the top 10 vulnerabilities as listed by OWASP.

OWASP's Top 10 Vulnerabilities Explained

OWASP has identified various security vulnerabilities affecting a company's web applications. OWASP released its list of the top vulnerabilities that need to be addressed to better understand developers' daily problems. The list of vulnerabilities is based on the contributions of security professionals and businesses.

The 10 critical areas from OWASP's 2021 list where most problems stem from are as follows:

1. Broken access control

2. Cryptographic failures

3. Injection attacks and command injection attacks

4. Insecure design

5. Security misconfiguration

6. Vulnerable and outdated components

7. Identification and authentication failures

8. Software and data integrity failures

9. Security logging and monitoring failures

10. Server-side request forgery

1. Broken Access Control

This vulnerability allows attackers to get information or perform actions restricted to specific users. There are several ways in which this can happen.

One example of broken access control is when an application doesn't properly restrict access to sensitive data. For example, given an API endpoint api/address/user/user_id that lists user addresses based on their user_ids, then anyone with access to that data can view or modify it (i.e., by trying different user_ids especially if the IDs were auto-incremented).

Mitigation

Don't allow your API users to "guess" the authentication mechanism you're using. Avoid hardcoded tokens, secrets, and keys. Try to use something more secure such as OAuth 2.0 tokens and cookies with credentials encrypted (hashed).

Use role-based authorization—this way, you can manage which users have access to which functionality and ensure no third-party application can access your system.

2. Cryptographic Failures

Cryptography vulnerability occurs when your application fails to properly use cryptographic functions such as hashing, encryption, and digital signatures (public key or symmetric). This common mistake allows hackers to perform many attacks, such as spoofing.

Spoofing is the first step attackers take when they get access to your system. They'll create a domain and then try to capture the user's authentication credentials. If they succeed, they'll try to do the same thing in other applications that use the same mechanism.

Mitigation

Use proper cryptography. Ideally, use a public key infrastructure (PKI) and ensure you have a certificate for each user. This will solve the problem of spoofing because if the domain is trusted, the user won't accept any certificate presented by someone else.

Don't store sensitive data in clear text. If you need to get data from one system to another, use an XMLHttpRequest (or, even better, HttpWebRequest), encrypt it, and then send it via HTTPS.

3. Injection Attacks and Command Injection Attacks

These attacks are about running malicious code through unexpected input methods (e.g., overloading a variable with external input) or entering malicious code into a legitimate website. These types of attacks are the most common in web applications. They could cause data theft or session hijacking, leading to impersonation or privilege escalation attacks.

Mitigation

1. Limit input through allowlisting where applicable.

2. Use output encoding techniques for untrusted data.

3. Enable parametrized queries for databases.

4. Insecure Design

This is an area where developers aren't incorporating application security into their system's design, or it isn't done correctly when they do. When designing a new framework, you should always strive to integrate security throughout your application as much as possible. Otherwise, you'll repeat yourself throughout your app's design and maintenance phases.

Mitigation

1. Have security-critical functions as methods on the class that handles them rather than inside controllers.

2. Never give more data to a third-party company than you have access to; have policies in place for dealing with it if you do.

This vulnerability involves the improper configuration of security mechanisms that can be publicly accessible or even of an internal network that could cause unauthorized access to sensitive data.

5. Security Misconfiguration

This vulnerability involves the improper configuration of security mechanisms that can be publicly accessible or even of an internal network that could cause unauthorized access to sensitive data. This could include setting up a firewall incorrectly, allowing hackers to enter and cause harm from within the firewall itself.

Mitigation

1. Correctly configure all security mechanisms.

2. Check for and fix any weak or missing security mechanisms.

3. Review the configuration of applicable libraries to ensure good design practices.

4. Ensure that you set up your firewalls correctly according to the policies you set for your application.

6. Vulnerable and Outdated Components

This area includes the use of vulnerable components, such as those that have known security weaknesses. In addition, an out-of-date component can lead to a higher risk of attack since it might not be up to date with security patches. When relying on third-party software or components, you can't control their internal structures. But you can ensure you update them according to the latest updates, making your application less risky.

Mitigation

1. Update all components according to their release dates.

2. Upgrade all components every six months or as security patches are released.

3. Test the components in your system to ensure they are secure before you install them in production.

7. Identification and Authentication Failures

We relate this vulnerability to failure to authenticate users or access credentials properly. It could include password weaknesses, weak session identifiers, weak session tokens, replay attacks, or weak passwords used for authentication.

Mitigation

1. Use sessions that are not vulnerable to replay attacks.

2. Use strong session identifiers.

3. Use authentication tokens for web apps.

4. Ensure that cookies aren't vulnerable to injection attacks (e.g., do not set unsafe values or sensitive information in cookies themselves).

8. Software and Data Integrity Failures

This area involves software vulnerabilities like buffer overflow attacks, memory corruption problems, and data integrity issues, such as weak checksums or lack of digital signatures and hashing algorithms that can be easily exploited—even by a casual hacker who is interested in your data but performing no actual "hacking."

Mitigation

1. Ensure that the code uses secure checksums to detect and prevent tampering.

2. Verify integrity checks are being performed.

3. Enable encryption of sensitive data to protect it from prying eyes.

9. Security Logging and Monitoring Failures

This vulnerability is about failing to include security logs in your application or not monitoring them—thus causing a lack of historical data that could help figure out how an attack/exploit happened. Logging provides critical information to the developers and security experts who can work on recreating the events that caused such damage from a policy or technical perspective.

Mitigation

1. Enable security logging in your application and monitor it regularly.

2. Ensure the logs include data vital to the system's integrity.

3. Use log correlation tools to correlate events across distributed applications or components.

4. If debugging is required, ensure you're not compromising privacy information in the logs themselves.

This could cause unauthorized actions by attackers after they have a victim click on a malicious link or submit a web form.

10. Server-Side Request Forgery

This area has two problems: The first is the failure to implement a secure request forgery response. And the second is not using a secure HTTP protocol when sending requests among systems. This could cause unauthorized actions by attackers after they have a victim click on a malicious link or submit a web form.

Mitigation

1. Proactively check outgoing requests and block any that look suspicious.

2. Ensure you include no sensitive information in headers that can carry out additional attacks.

Automated API security testing in CICD

Conclusion

The OWASP Top 10 is a valuable resource that helps you build secure web applications by identifying and addressing the most common vulnerabilities in your systems. Following the guidelines above—and integrating API security testing using StackHawk—minimizes your application's exposure to security risks and reduces the likelihood of falling prey to an attack.

This post was written by Mercy Kibet. Mercy is a full-stack developer with a knack for learning and writing about new and intriguing tech stacks.


StackHawk  |  November 10, 2022

Read More

Add AppSec to Your CircleCI Pipeline With the StackHawk Orb

Add AppSec to Your CircleCI Pipeline With the StackHawk Orb

Application Security is Broken. Here is How We Intend to Fix It.

Application Security is Broken. Here is How We Intend to Fix It.

Using StackHawk in GitLab Know Before You Go (Live)

Using StackHawk in GitLab Know Before You Go (Live)